Telemedicine is a means of connecting providers with remote or undeserved patients. Proper telemedicine systems are necessary to be able to conduct clinical examinations on a patient remotely. These telemedicine systems typically include an encounter management platform, specialised medical devices and video conferencing network. Importantly, the best telemedicine systems also pair seamlessly with other IT solutions. In this way, treating patients becomes more efficient and dynamic, rather than a technological silo.

Working alongside some of the most common EMR platforms, a telemedicine encounter can smoothly integrate data from a check-up or appointment. Images, EKG reports, vital signs data and other information is saved easily and securely, without disrupting existing workflows.

Business as usualPractice Fusion found that only a decade ago, roughly 9 in 10 doctors in the U.S. updated and stored patient records by hand. Since then, paper charts and color-coded files have been replaced by EMR systems that are more efficient and more powerful. Telemedicine systems are also being quickly integrated into everyday healthcare services, and the combination of the two is both cogent and seamless .

A telemedicine encounter is easy and simple to navigate for doctors and patients.

Images from a telemedicine encounter can be easily added to a patient's EMR following an appointment. The same is true of X-rays, CT scans and other images, ECG reports, or vital signs data. By working with existing EMR platforms, telemedicine systems can adapt to a provider's specific workflow. Because saving data and images is so easy, something as simple as an HL7 configuration file can be used to relay information from a telemedicine software platform into and EMR. This is very much like the way a proper HIE system works. In this way, little needs to be changed in integrating a telemedicine system. This reduces lapses in production when implementing telemedicine into a practice.

The most recent technology advancement making a significant impact on the world of integration between telemedicine and EMRs is the availability of robust APIs from the best telemedicine software companies. This means healthcare professionals can work on one platform without having to manage two separate windows or applications, resulting in a much smoother workflow and faster adoption process.

Security and ease of useEMRs are already leveraged to reduce administrative overhead and the possibility of human errors. Paired, with telemedicine, the two technologies make it easier for healthcare professionals to manage patient encounters, control privacy and reduce the possibility of data entry mishaps.

The UI during a telemedicine encounter doesn't just make it easy to store patient data, but also works to eliminate misplaced or lost documents during the charting process. That way a doctor can quickly prepare for the next patient without worrying about any mistakes. The best telemedicine platforms come with robust security measures to ensure the patient encounter is private and well-protected from third-parties or sources of compromised privacy. In this way, it is easy to exchange information in real-time and store the data for later reference in an EMR.

An integrated UI also makes it simple for a physician to draw from a patient's EMR during a telemedicine encounter. This makes care more targeted and personal. While a physician is treating a patient using an embedded telemedicine system, an individual's EMR can also be accessed. In this way, an individual's entire health history is available to doctors, even if a patient is dozens or hundreds of miles away. This access to data allows for high-quality care that is more efficient, accessible and coordinated.

Within the healthcare industry, EHR data interoperability has become all the rage, as medical providers, the federal government, media, and health IT vendors continue discussing the impact and benefits of interoperable, electronic patient records. In fact, more EHR vendors and developers are starting to bring interoperable products in front of providers.

For example, the medical device manufacturer Smiths Medical will be revealing its management software with an interoperability platform at the Association for the Advancement of Medical Instrumentation (AAMI) Conference taking place between June 5 and June 8 in Denver, Colorado, according to a company press release.

In addition to the new developments within the health IT field regarding EHR data interoperability, the Office of the National Coordinator for Health IT (ONC) has published public commentsto its nationwide interoperability roadmap.

“I am very opposed to this,” one respondent stated. “It proposes to repeal federal law that allows state legislatures to enact true medical privacy laws for citizens. It views patient data as public property rather than personal property. It has uses of data that many patients will not accept.”

The comments show how controversial EHR data interoperability is currently among consumers across the nation. Patient data privacy and security is, as always, at the forefront of the discussion and federal agencies continue to address its importance.

As ONC along with the Centers for Medicare & Medicaid Services (CMS) release proposed meaningful use requirements, there are some entities that have found EHR data interoperability stressed under the Stage 3 Meaningful Use proposed rule to be overly complex to implement among the industry.

Recently, the American Medical Association (AMA) has sent a letter to both CMS and ONC expressing its concerns over the complexity within Stage 3 Meaningful Use requirements that may impair EHR data interoperability. The inadequacies in building up sufficient health information exchange systems throughout the nation could lead to negative impacts on population health management efforts as well as overall quality of patient care.

As privacy and security continue to impact the ongoing reforms toward effective EHR data interoperability and health information exchange, the AMA underscored the security risks that EHR technology poses on the medical sector and patient safety.

“Another area where attention is lacking is how to address the growing privacy and security risks related to EHRs and other technology. Between 2010-2013 there were almost a 1,000 significant data breaches affecting 29 million patients, two-thirds of which involved electronic data. Moving to an electronic environment has greatly increased the probability of cybersecurity threats and breaches of patient data. Already, we have seen major institutions experience large data breaches that affect thousands of patients, as well as new cyber-attacks that cause EHRs to go dark literally for days,” theAMA letter stated before CMS and ONC rule makers.

“Rather than address these concerns, the proposed rule tries to highlight the numerous technology advancements that can be used and added to EHRs. It, however, fails to address how this may increase the risk for privacy and security problems… Before expanding the program to include additional technology and other requirements, we believe that the immediate need for greater protection of patient information must first be addressed.”

Anyone who enjoys watching the quiz show Jeopardy! has heard about the computer system Watson, which was initially developed to compete on the show but has since garnered the attention of leaders across a variety of industries. Watson can even be used to better analyze EHR patient data and lead to improved quality of care.

The company division IBM Watson Health has announced today that it is working with Epic and the Mayo Clinic to apply some of the computing capabilities of Watson to analyzing EHR patient data and systems in order to boost patient health outcomes. Providers will also gain advantages when applying Watson’s power to EHRs and gaining faster analysis of the many issues that affect a patient’s health and wellness.EHR Patient Data

Using secure, cloud-based Watson services will help physicians with clinical decision making and understanding of patients’ medical conditions. Over the last year, Epic has exchanged more than 80 million patient health records within its community and outside of it.

“Building on our recent announcement of IBM Watson Health, we are collaborating with Epic and Mayo Clinic in another important validation of the potential of Watson to be used broadly across the healthcare industry,” Mike Rhodin, Senior Vice President of IBM Watson, remarked in a public statement. “This is just the first step in our vision to bring more personalized care to individual patients by connecting traditional sources of patient information with the growing pools of dynamic and constantly growing healthcare information.”

The hope is to have Watson and Epic software be utilized to effectively create patient treatment protocols and more customized health management solutions for patients with chronic conditions. Watson would be used to bring forth relevant case studies and medical knowledge that is applicable to treating a patient when doctors and other healthcare professionals share EHR patient data with Watson in real-time.

Epic will be incorporating Watson’s computing features into its clinical decision support tools including Health Level -7 (HL7) Fast Healthcare Interoperability Resources (FHIR) Application Programming Interfaces (APIs). Through this combined system, clinicians will be able to more quickly access the knowledge necessary to more effectively treat patients and improve health outcomes.

IBM and Mayo Clinic is collaborating on ways to revolutionize cognitive computing by applying it to clinical trials matching among cancer patients. With the streamlined and accurate processes available through Watson’s computing capabilities, physicians are able to register patients much faster in relevant clinical trials that are customized to each individual’s needs. With more than 1 million patients seen at the Mayo Clinic every year and more than 1,000 clinical trials available year-round, integrating Watson should lead to significant progress in quickly assigning patients to innovative studies.

“Patients need answers, and Watson helps provide them quickly and more thoroughly. We are excited by Watson’s potential to efficiently provide clinical trials information at the point of care,” Dr. Steven Alberts, an oncologist at Mayo Clinic, said in a public statement.

IBM’s Watson offers significant opportunity for healthcare providers to bring about high-quality care through the use of cognitive computing capabilities tailored to each individual patient.

A new survey shows that many consumers are concerned about whether their healthcare information will remain private once electronic records are routinely exchanged among providers. But experts say a good way to address those concerns is for organizations to be transparent with patients about who's accessing their data and why.

"Acknowledge their concerns," Culver says. "Be clear and transparent about how data will be used and by whom. Confirm that the organization adheres to current data security practices and standards. ... Provide the option for consumers to access audit reports of who is looking at their data."

Survey Results

The new survey, published this month in the Journal of the American Medical Informatics Association, found that more than half of California consumers believe that EHRs worsen information privacy and nearly 43 percent believe they worsen security.

When it comes to the impact of health information exchange, 40 percent of consumers surveyed say it worsens privacy and 43 percent say it worsens security.

The report was based on a phone survey of 800 consumers in California conducted by researchers at the University of California's Sacramento and San Diego campuses.

"While consumers show willingness to share health information electronically, they value individual control and privacy," the researchers wrote. "Responsiveness to these needs, rather than mere reliance on HIPAA may improve support of data networks."

Access Reports

Consumer confidence in EHRs and HIEs could be boosted if patients are given the opportunity to get reports on who accesses their records, says David Whitlinger, executive director of the New York eHealth Collaborative. The group coordinates activities for the Statewide Health Information Network of New York, which is the state's health information exchange.

SHIN-NY plans to provide consumers will such access reports through the HIE's patient portal, he says.

"They'll be able to look to see who accessed their records via SHIN-NY," he says. Providing patients with access reports about their health records is akin to credit bureaus providing consumers with reports about who accessed their credit reports, he says. "If patients ask who has accessed their records, and can get a report, that will go a long way to alleviate concerns."

Regulatory Activity

In fact, federal regulators have been working on a proposals regarding an accounting of health information disclosures and EHR access reports for patients.

The HITECH Act mandated the Department of Health and Human Services update HIPAA requirements for an accounting of disclosures of protected health information. In May 2011, HHS' Office for Civil Rights issued a notice of proposed rulemaking for updating accounting of disclosures requirements under HIPAA. The proposal generated hundreds of complaints from healthcare providers and others. Many of the complaints were aimed at a controversial new "access report" provision.

As proposed, the access report would need to contain the date and time of access, name of the person or entity accessing protected health information, and a description of the information and user action, such as whether information was created, modified or deleted. That access report would include EHR disclosures for treatment, operations and payment, which are categories of disclosures exempt from the current HIPAA accounting of disclosures rule.

Many of the public comments that HHS received on the access report proposal claimed that it would prove to be technically unfeasible for EHR vendors to implement, and complex and expensive for healthcare organizations.

But Whitlinger doesn't buy those arguments. "The provider community realizes that they will get challenged about who accessed [a patient's] record, and they don't want to deal with that," he says. And he believes that some EHR vendors "don't want to have to go down the path of how to make these access reports representative and valuable" for patients.

OCR Director Jocelyn Samuels said in January that the agency was considering a possible request for additional public input on HHS' proposed accounting of disclosures rule making. OCR is still evaluating the comments it received on the proposed accounting of disclosures rule it issued in 2011, as well as recommendations from the HIT Policy Committee about refining the rule, she said.

Patient Control

An executive at EHR vendor Athenahealth says that patients will become more confident in the security and privacy of their health records if they have more control over that information.

"Too often, patient data and its sharing is controlled not by the patient but by large care organizations and their health IT vendors," says Dan Healy, Athenahealth's vice president of government and regulatory affairs. "Our vision is of a system of patient-centered information exchange, putting control back in the hands of the patient. That will do more than anything else to increase confidence."

Some security experts are concerned that narrower risk assessment requirements in a proposed rule for Stage 3 of the HITECH Act "meaningful use" electronic health records incentive program could confuse healthcare organizations about the importance of conducting a broader risk assessment as required under HIPAA.

The rules are slated to be published in the Federal Register on March 30, with HHS accepting public comment for 60 days. Regulators are expected to issue final rules after reviewing the comments, which could take months.

Under Stage 3 of the HITECH Act incentive program, eligible hospitals and healthcare professionals can qualify to receive additional incentives by "meaningfully" using certified EHR software to accomplish a list of objectives, including sending secure messages to patients and conducting a security risk assessment of EHR data.

Currently, depending upon when they began participating in the HITECH program, which launched in 2011, eligible hospitals and healthcare professionals are participating in Stage 1 or Stage 2 of program.

Under the HITECH Act, penalties for not using a certified EHR system will kick in beginning in January 2018. Hospitals and physicians participating in the Medicare program must meet a list of Stage 3 objectives and measurements to avoid reduced Medicare payments, a CMS spokesman explains. Those participating in Medicaid have through 2021 to qualify for financial incentives under the HITECH program, and are not subject to financial penalties for failing to meet the objectives.

Meaningful Use Proposals

One of the most significant proposed changes for Stage 3 requirements deals with risk assessments.

While healthcare providers are still expected to conduct broader HIPAA security risk analysis as part of their HIPAA compliance, the Stage 3 proposals state that healthcare providers must conduct annually an assessment that specifically looks at technical, administrative and physical risks and vulnerabilities to electronic protected health information created or maintained by the certified EHR technology.

The proposal addresses "the relationship" between this EHR-related measure and the HIPAA Security Rule risk assessments. "We explain that the requirement of this proposed measure is narrower than what is required to satisfy the security risk analysis requirement under [HIPAA]," the proposal says.

"The requirement of this proposed measure is limited to annually conducting or reviewing a security risk analysis to assess whether the technical, administrative and physical safeguards and risk management strategies are sufficient to reduce the potential risks and vulnerabilities to the confidentiality, availability and integrity of ePHI created by or maintained in [the certified EHR technology]," says the proposal.

"In contrast, the security risk analysis requirement under [HIPAA] must assess the potential risks and vulnerabilities to the confidentiality, availability, and integrity of all ePHI that an organization creates, receives, maintains or transmits. This includes ePHI in all forms of electronic media, such as hard drives, floppy disks, CDs, DVDs, smart cards or other storage devices, personal digital assistants, transmission media or portable electronic media."

"With the new MU Stage 3 there was clarification that this was the original intent" to assess the security risk of EHR data, he says.

However, the focus on the annual security risk analysis of EHR data may inadvertently water down the importance of conducting broader HIPAA risk analysis, he says.

"Some organizations, especially smaller organizations that do not have a dedicated information security professional on staff, think that the only risk analysis they need to conduct is just for the certified EHR," Walsh says. "The HIPAA Security Rule requires that all applications and systems that store or transmit ePHI need to have a risk analysis conducted."

John Halamka, CIO at Beth Israel Deaconess Medical Center in Boston, expressed disappointment with the risk assessment language in the proposed meaningful use rule. "The MU3 security requirements are less than HIPAA requirements in that they focus only on the EHR and not all information flows. Since security is an end-to-end process, it is not clear to me why the security focus of MU should be less than HIPAA."

Halamka suggests that "maybe a balanced approach is to require a HIPAA Security analysis - NIST 800-66 for example - once every three years, then ask for yearly progress on the plan, rather than yearly re-audits."

Secure Messaging

Another security issue spotlighted in the meaningful use requirements proposed for Stage 3 is secure messaging.

The proposal call for healthcare providers ramping up patient communication using secure messaging, especially after patients are discharged from a hospital or emergency room. For instance, the proposal says that providers should electronically send secure messages to more than 35 percent of all patients seen by a provider or discharged from a hospital during the EHR reporting period. The secure message should be sent "using the electronic messaging function of the certified EHR technology to the patient - or the patient's authorized representatives - or in response to a secure message sent by the patient or the patient's authorized representative."

It goes without saying that computers are expensive. Medical practices will often gift used office equipment to employees or family members; or donate them to vocational programs. Risk management attorney Ike Devji says that donating old equipment like scanners, fax machines, and computers at the end of the year is very common. "At the end of the year practices will rush to spend money so that it is not taxable. They buy [new] equipment … and computers are replaced."

There's just one small problem. Deleting sensitive patient data will not permanently eliminate it from the hard drive of the device. And if you've donated your practice's scanner to the local thrift store, it still contains sensitive patient data that "a well-trained 12-year-old kid with access to YouTube can get … off the hard drive," says Devji.

Devji points out that a high-end digital scanner can store up to 10,000 pages of patient data. And equipment that is synched to your EHR, even smartphones and tablets, needs to be destroyed or disposed of in a secure manner.

If you have old equipment that you'd like to get rid of, contact your IT consultant. He should be able to point you in the right direction. Or you could follow Devji's approach: He uses his old equipment for target practice in the Arizona desert.

Electronic health records not only enable faster access to real-time patient data; they also make it a heck of a lot easier to catch snooping employees who inappropriately view patients' confidential information, as one California hospital has observed this past week.

Officials at the 785-bed California Pacific Medical Center in San Francisco – part of Sutter Health system – notified a total of 844 patients Jan. 23 after discovering a pharmacist employee had been inappropriately snooping on patients' medical data for an entire year.

The incident was discovered after the hospital conducted an EHRaudit back in October 2014. when it was first discovered only 14 individuals had had their PHI compromised.

Following an "expanded investigation," hospital officials discovered the HIPAA breach was significantly larger than they had originally found, with 844 additional patients being identified as having there information inappropriately accessed. The staff member, whose employment has since been terminated, snooped on patient records from October 2013 to October 2014, including patient demographics, clinical diagnoses, prescription data and clinical notes.

As officials pointed out, the hospital has "reiterated to all staff that policy allows them to access patient information only when necessary to perform job duties and that violating this policy may result in loss of employment," they wrote in a Jan. 23 press notification.

The biggest way to avoid the employee snooping problem? Audit your users and the data, said Suzanne Widup, senior analyst on the Verizon RISK team, who spoke to Healthcare IT News in spring 2014 on Verizon's annual breach report. "You need to know who has the data, who has access the data, and you need to monitor it," Widup pointed out. "When you see organizations implement some sort of auditing scheme, suddenly they start finding a lot of stuff they couldn't see before."

This snooping incident at California Pacific Medical Center is far from an isolated event. As more hospitals conduct more regular EHR audits, cases like this are only increasing in number.

One of the more egregious incidents was reported by the five-hospital Riverside Health Systemback in December 2013. Following a random company audit, officials discovered an employee had unrestricted access to Social Security numbers and clinical data of close to 1,000 patients for a period of four years.

Then, of course, there was the HIPAA breach at University Hospitals just in December, where an employee had been reading confidential medical recordsof nearly 700 patients. What's more, the employee had unfettered access to the records for nearly three and a half years before being discovered and was only caught because the health system had received a snooping complaint.

This kind of employee behavior has long been on the minds of chief information officers nationwide.

In an interview with Texas Health Resources Chief Information Officer Ed Marx this past summer, he told us: "The biggest risk, as much as we talk about the hackers and people trying to get in and steal healthcare data, I think the biggest risk is still the individual employee who maybe forgot what the policy was and does something they shouldn't do."

Out of the nearly 42 million individuals that have had their protected health information compromised in reportable HIPAA privacy and security breaches, nearly 13 percent of them involve inappropriate access or disclosure of patient records, according to data from the Department of Health and Human Services.

Your organization can have the most well-crafted privacy and security policies in the world. But if those policies are accompanied by lukewarm emphasis and no accountability, or your staff just downright ignores them, you have a big security problem – just like the folks at one Ohio-based health system did last week.

Cleveland-based University Hospitals on Friday notified nearly 700 patients of a HIPAA privacy breach after one of its employees was caught snooping on confidential medical records. What's more is the employee was able to inappropriately access patient medical and financial records for nearly three and a half years without UH knowing.

UH had received a complaint over the employee's inappropriate access to the health system's electronic medical record system, and only after the allegation did UH audit the user's EMR access, according to a UH spokesperson. On Oct. 2, health system officials discovered the staff member had been snooping into the EMRs of 692 patients from January 2011 through June 2014.

The staff member, whose employment has since been terminated, was able to gain unfettered access to patient names, medical diagnoses, health insurance numbers, dates of birth, home addresses and additional treatment data. Other patients had their Social Security numbers, financial data, credit card numbers and driver's license numbers viewed.

"UH takes the protection of patient health information very seriously," wrote UH officials in a Nov. 28 press release. "UH continually evaluates and modifies its practices to enhance the security and privacy of its patients' information, including the ongoing training, education and counseling of its workforce regarding patient privacy matters."

The biggest way to avoid the employee snooping problem? Audit your users and the data, said Suzanne Widup, senior analyst on the Verizon RISK team, who spoke to Healthcare IT News this spring regarding Verizon's annual breach report. "You need to know who has the data, who has access to the data, and you need to monitor it," said Widup. "When you see organizations implement some sort of auditing scheme, suddenly they start finding a lot of stuff they couldn't see before."

It's cases like what transpired at UH, where the action comes down to an individual employee, that have many healthcare security officials on edge.

"The biggest risk, as much as we talk about the hackers and people trying to get in and steal healthcare data, I think the biggest risk is still the individual employee who maybe forgot what the policy was and does something they shouldn't do," said Texas Health Resources Chief Information Officer Ed Marx, in an interview with Healthcare IT News this summer.

More than 41.4 million people have had their protected health information compromised in a reportable HIPAA privacy or security breach, according to data from the Department of Health and Human Services.

This article addresses the issue of breech of confidential information within a patient record using electronic medical records. Accessing patient's records is much easier with EMR. Previously, with a paper chart there was only access to information from that visit contained within the record. With EMR, all information is accessible. This includes financial and private data. The potential for a patient to have his or her personal information obtained is huge. I believe it is the responsibility of the health care provider to monitor the use of this information by their employees to ensure proper use.

Today the American Hospital Association (AHA) and the College of Healthcare Information Management Executives (CHIME) released the results of its HealthCare's Most Wired™ Survey, which illustrated that data security and patient engagement are the most important concerns among the country’s hospitals.

This survey focuses on analyzing health IT adoption among hospitals across the country and studies how health IT can be used to improve value-based healthcare metrics. Hospitals are currently taking more aggressive approaches to ensuring patient data remains private and secure.

“With the rising number of patient data breaches and cybersecurity attacks threatening the healthcare industry, protecting patient health information is a top priority for hospital customers,” Frank Nydam, Senior Director of Healthcare at VMware, said in a press release. “Coupled with the incredible technology innovation taking place today, healthcare organizations need to have security as a foundational component of their mobility, cloud and networking strategy and incorporated into the very fabric of the organization.”

Due to the Stage 2 Meaningful Use requirements under the Medicare and Medicaid EHR Incentive Programs, more hospitals have pushed forward patient engagement measures as well. The results from the survey show that 89 percent of Most Wired hospitals offer patient portal capabilities, 67 percent established a method for integrating patient-generated data, and 63 percent include patient tools for managing chronic disease.

“We commend and congratulate this year's Most Wired hospitals and their CIOs for improving care delivery and outcomes in our nation's hospitals through their creative and revolutionary uses of technology,” CHIME CEO and President Russell P. Branzell, FCHIME CHCIO, stated in the release. “These Most Wired organizations represent excellence in IT leadership on the frontlines of healthcare transformation.”

When it comes to the practice of medicine and drug discovery, the federal government plays a role in supporting these sectors and developing legislation that opens up avenues for healthcare professionals and scientific researchers. The House Committee on Energy and Commerce has gone forward with creating legislation called 21st Century Cures that delves directly into stimulating the discovery and development of new treatments and medications for patients across the nation. The legislation also impacts the expansion of EHR interoperability.

While the intentions of the 21st Century Cures legislation is beneficial for drug discovery, the American Hospital Association (AHA) finds that the enforcement strategies under the proposed rules could have negative consequences for providers, particularly in its aim to expand EHR interoperability.

AHA Executive Vice President Rick Pollack stated in a letter to the House Committee on Energy and Commerce that, which the organization appreciates the inclusion of EHR interoperability expansion, the “enforcement mechanisms” could lead to issues for healthcare providers such as putting together an ecosystem in which doctors may be significantly penalized for minor errors.

AHA does support health information exchange and EHR interoperability in pursuit of improving patient outcomes and incorporating new models of care. Nonetheless, AHA finds some issues with the enforcement related to vendors participating in information blocking problematic.

“The bill includes a number of enforcement mechanisms against those who engage in information blocking,” wrote AHA Executive Vice President Rick Pollack in the letter. “On the provider side, we believe that the use of Medicare fraud and abuse mechanisms, such as investigations by the Office of the Inspector General, imposition of civil monetary penalties or exclusion from the Medicare program, is unnecessary and inappropriate to address the concerns that the legislation seeks to remedy. We recommend that you use the existing structures of the meaningful use program to promote information sharing.”

On behalf of AHA, Pollack mentions that the organization appreciates the committee’s aim to ensure EHR vendors are responsible for creating interoperable health IT products. However, Pollack also stated that the committee should instruct the Federal Trade Commission to analyze any anti-competitive behavior among EHR vendors. In particular, Pollack finds the decertification of EHR systems among vendors that participated in information blocking objectionable, as it would affect healthcare providers and disrupt patient care.

“The language also includes decertification as a sanction for vendors that engage in information blocking. Decertification would be disruptive to hospitals and physicians that have invested in and deployed an EHR that is later decertified,” Pollack explained. “However, the inclusion of provider protections against meaningful use penalties if their EHR is decertified makes it more reasonable.”

The protections against payment penalties under the Medicare and Medicaid EHR Incentive Programs would last for more than one year, which would give providers ample time to find a new vendor, develop a suitable contract, install another EHR system, and attest to relevant meaningful use requirements.

Additionally, AHA would like the definition of information blocking to become narrower in order to avoid charges of fraud to be dealt due to standard business practices. Essentially, AHA would like to reduce some of the punitive approaches the committee set forth and develop more positive approaches to expanding health information exchange.

Several healthcare associations have raised concerns about some of the privacy and security components of the Office of the National Coordinator for Health IT's proposed 10-year electronic health record interoperability roadmap.

For example, they expressed concern about proposals related to obtaining patient consent for sharing health information, cybersecurity activities and governance "rules of the road" for national data exchange.

ONC, the unit of the Department of Health and Human Services responsible for standards and policies of the HITECH Act EHR incentive program, in January released a draft roadmap for achieving nationwide secure health data exchange built on interoperable EHR systems.

While the ONC draft is a 10-year vision, it contains critical actions that can be taken by regulators and healthcare stakeholders in increments over the next three, six and 10 years, to help remove technical, policy and regulatory barriers that are hindering information exchange. The idea behind the plan is to make it possible for clinicians to securely access and share timely, potentially life-saving data about a patient, no matter where that patient is treated.

Over the next several months, ONC will review the comments it received and consider how they might be reflected in the final version of its interoperability roadmap expected to be released later this year.

Patient Consent

ONC in its roadmap introduced the concepts of "basic choice" patient consent related mostly to information that's allowed to be disclosed by covered entities under HIPAA for treatment, payment and operations, versus "granular choice" consent that patients would provide to allow sharing of specific data, such as sensitive information related to substance abuse or mental health treatment.

Under the HIPAA Privacy Rule, an individual's written authorization is not required for the sharing of health information for treatment, payment or operations. But many covered entities choose to obtain an individual's consent anyways, ONC notes. And that's what ONC describes as "basic choice" consent.

ONC says "granular choice" consent refers "not only to granular choice among clinical conditions that are protected by laws in addition to HIPAA, but eventually, granular choice, should a patient wish to express it, regarding other data distinctions to be determined ... such as research ... in which an individual has chosen to participate."

Some organizations in their comments say they are opposed to federal regulators introducing the concept of granular choice consent. That's because they say it could potentially fuel more confusion among healthcare entities about the patient data that can or cannot be exchanged under HIPAA versus other government regulations, including state privacy laws.

For instance, the Healthcare Information and Management Systems Society says it "does not see the benefit of, nor is in favor of, the introduction of the concepts of 'basic' and 'granular' choice, particularly in view of these concepts being contradictory and inconsistent with applicable law, for example, HIPAA and state law."

HIMSS says it "supports the idea that interoperability efforts should focus on facilitating exchange of data when the law expressly authorizes use or disclosure of protected health information. ... HIPAA should not be essentially rewritten, through a reinterpretation, with respect to erroneously stating that individuals have the right to individual access and individual choice under the Nationwide Privacy and Security Framework, based on the Federal Trade Commission's Fair Information Practice Principles."

Similarly, as it relates to information sharing and consent, the American Hospital Association says that it opposes potential changes to current government privacy and security policies in the effort to drive healthcare providers to share electronic health information. "With regard to privacy and security issues, the AHA strongly believes that improving the infrastructure to support secure data sharing in support of clinical care can be accomplished within the existing HIPAA requirements."

Cybersecurity Activities

When it comes to issues related to cybersecurity, the AHA urges ONC to leverage existing guidance, including the National Institute for Standards and Technology's framework, rather than start from scratch.

"The roadmap includes proposed activities for ONC or HHS, but activities in this area must align with the ongoing collaboration of the Departments of Homeland Security and HHS with public-private collaborations, including the Healthcare and Public Health Sector Coordinating Council, to work through health sector-specific issues," AHA says.

"Further, any detailed standards should be aligned with the NIST Cybersecurity Framework, which is the overarching federal approach to cybersecurity, and the existing HIPAA security rules."

Rules of the Road

ONC's draft interoperability roadmap also included "a call to action" for healthcare IT stakeholders to come together to establish a coordinated governance process for nationwide interoperability. Those proposals also included the possibility that ONC would consider regulatory options to ensure compliance to so-called governance "rules of the road."

"We caution against being overly ambitious with the development of a nationwide governance mechanism and encourage focused prioritization through ingrained collaboration among private and public sector stakeholders," CHIME and AMDIS say in its joint comments to ONC. "In our view, interoperability in the service of high quality, safe patient care should remain the principal focus of the near-term."

Other Recommendations

As part of its comments on the interoperability roadmap, HIMSS also made several privacy and security recommendations. Those include suggestions that ONC, federal partners and industry stakeholder groups collaborate on developing:

Personal Health Information (PHI) records and electronic PHIs (ePHIs) comprise our most confidential data, including demographic information, medical history, test and laboratory results and insurance information. Health care professionals utilize the PHI to identify the patient and determine appropriate care and treatment; insurers input financial data, and patients can access this information by request. Due to this highly sensitive combination of medical and financial data, these records have become a favorite target for hackers, as shown by the recent Premera and Anthem breaches.

As hackers become more sophisticated in their attacks, organizations must become increasingly vigilant in implementing HIPAA compliant standards to secure their data. Healthcare organizations currently use both on premise and cloud deployments to house their information. In fact, a recent survey of healthcare provider organizations indicates that 83% of IT executives report that they are currently using cloud services. The areas with the most uptake include lab systems and email services; electronic health record and information exchanges (CHIs, EMRs, Telehealth, etc.), and Shadow IT – which is enlisting cloud-based services, but not via their IT departments.

While the advantages in moving to the cloud include improved access, powerful processing capabilities, higher availability and significant savings with on-demand hosting, healthcare organizations are still wary that the cloud may deliver a less secure option. They are reluctant to transfer mission-critical and sensitive information to a seemingly anonymous IT admin in an unidentified location. Other organizations may be concerned that their IT teams may not have the requisite skills and processes to manage the migration and maintenance of the cloud deployment.

In the Public Cloud environment, responsibility for IT security is shared between the health care organization and the Cloud Service Provider (CSP), with a clearly defined demarcation. The CSP is in charge of securing access to the physical servers and the virtualization layer, while the health care organization is responsible for securing the hosted Operating Systems, the applications and the data itself. CSPs differ in the ‘native’ security features they offer, but those always fall short of best-practice security requirements. Therefore, organizations using public clouds are required to supplement the CSP offering to ensure a HIPAA compliant cloud deployment.

As part of a cloud migration process, ePHIs may be ‘exported’ to the cloud, to share with other healthcare organizations, clinicians and insurers, or for cloud-based storage and processing. In such cases encryption of the data in transit and at rest is critical. Firewall policies to control data transfer and access are also required. Since many healthcare organizations have only migrated a portion of their resources to the cloud, the encryption and firewall policies must encompass the hybrid, private and enterprise cloud environments.

When ePHI or other clinical or sensitive data is stored in the cloud, the issue of remote access must also be addressed. Health care professionals and IT staff as well as others need to access cloud resources from remote offices and via mobile devices. Although remote access provides flexibility it is also a significant security caveat. Almost half of the healthcare security incidents last year were the result of loss or theft of devices such as laptops, phones or portable drives. Internal threats are especially worrisome, as 15% of the security incidents in healthcare in 2014 have been attributed to unapproved or malicious use of organizational resources.

The answer to these threats are strong integration with identity controls as well as access management. To protect their resources, organizations must implement a strong two factor or multi-factor authentication systems. Identity-based access management policies assure that employees are not able to access unauthorized data, and multi-factor authentication ensures that those who steal or find lost devices will not be able to reach internal resources.

Another important step in securing healthcare information involves implementing monitoring and logging capabilities. This is emphasized in a cloud environment where the infrastructure is owned by a third party and is shared among several organizations (i.e. multi-tenant). Although logs are important, unless they are regularly monitored in an accurate manner, important or suspicious events will not be noted. Therefore, visibility and automated alerts are critical in early detection of security incidents.

The cloud is becoming the default choice for healthcare CIOs. The fastest path to a secure, compliant healthcare deployment in the cloud requires careful planning and implementation. Key to a viable security solution are encryption, access management and firewall policies, combined with event monitoring capabilities and alerts. Solutions that provide this set of security elements for the public and hybrid cloud are now becoming available in the marketplace, evidence that cloud technologies for healthcare are coming of age.

Are we ready to replace passwords with biometrics for access to our facilities' networks and EHRs? I know that I'm ready for something easier and more secure than my ever-changing facility login, a byproduct of being forced by the system to change my password every couple of months.

In its current iteration, the EHR at my facility takes three separate login steps to get into the record to document a patient encounter or retrieve information. This doesn't seem like much, but multiply it by 20 or 30 patients and it becomes burdensome and a significant time waster.

If a terminal is locked, I have to enter my credentials to access the system and from there, I have to enter my credentials to open the EHR. Then if I want to dictate any notes, I have to again enter my credentials to open the dictation software. It gets old in a hurry, and is a major complaint among members of the medical staff at my community hospital.

The IT team in our organization is experimenting with using the embedded "near field" chip in our ID cards as a way in which to log in to the EHR. It would be a big step forward and would eliminate the majority of authentication to access our EHR. It would also have the added advantage of encouraging all members of the medical staff to carry their hospital IDs, but not all software needed for charting supports this mode of authentication.

Fast Identity Online (FIDO) is the current buzz phrase that refers to all of the biometric authentication technology currently available or planned. We are already using our fingerprints in a variety of ways to unlock our phones and doors, and there are readily available technologies that rely on retinas, irises, face recognition, or voice recognition that are being developed to solve authentication and security problems. We have seen the future in a variety of science fiction films, and much of it is working and available technology.

While there is a tremendous upside to FIDO technology, there are also significant downsides in the form of privacy. We constantly see that passwords are not 100 percent secure, and companies tasked with protecting our personal data stored on their servers also fail. It is not too much of a stretch to raise concerns about personal biometric data being stored on vulnerable servers, and the privacy vulnerability that this represents to us all as individuals.

There should be similar concerns with biometric security data. My fingerprints are stored on my phone as a security measure, but could an enterprising criminal find a way to use that data to reconstruct my fingerprints?

As always, computer technology and software are well ahead of privacy protections and personal security, and will remain so for some time, possibly forever.

To make it work on an EHR, we need enterprise level solutions, as the thought of customizing my FIDO login separately at each terminal in the hospital, defeats the purpose and intent of making this simultaneously easier and more secure.

It seems that an enterprising technology company would see the opportunity in allowing medical providers to quickly and securely sign into an EHR. I know that there are a lot of smart people working on this problem in an attempt to make this both easier and more secure for those of us in the trenches.

As the pace of technology development and implementation becomes more rapid, so does the need for increasing security and privacy, as well as reducing the technological burden on the healthcare providers who daily have the use this technology in the performance of their jobs. These competing trends get more important everyday as the penetration of the EHR becomes more ubiquitous.

Keeping data within one's EHR is a great business model for both large-scale users like hospitals and EHR companies alike. You can charge what you want, lock customers in, and keep competitors out. Keeping data within your own software or institution is a huge competitive advantage.

System resident EHR companies are doubling down on this model by acquiring cloud-based EHR companies. Some are moving data out of facilities and into their own cloud-based lockbox. Some are setting their table to be the single click-point as Kayak is to the travel industry.

The winner will become the data supermarket to healthcare.

Except, these strategic movements are mostly about hospital data (which is crisis data and of very limited use in population health), and has limited value to all of the other health and care things that have to be done to move the quality, health status, and cost dials from fiscal Armageddon to sustainability.

That's where hospital-centric strategy will get hospital-centric companies into the cook pot. Healthy people without medical emergencies or crises and not needing sophisticated diagnostics and invasive procedures is bad for hospital business, so, it is understandable for companies to cater to them. Expecting a voluntary, or even some sort of sincere, attempt, however, at a 180-degree transition from a trillion dollar plus, fee-for-service-dependent medical crisis industry to the physician world of a few bucks for prevention is just, how do I put it delicately — disingenuous.

That's why we should not only be skeptical of the motives of these business models, but physicians should step away carefully and demand EHR companies to serve their needs. And, they can be pigs about it because the company that successfully becomes a data supermarket will feed the entire industry.

In the hospital world, controlling data is a competitive advantage, a point of physician control, and a means to continue to extract trillions from insurers long enough to try to make a transition or just keep the industry anchored in their harbor by their sheer size. Hogs that, when they are fat enough have eaten the economy into starvation, will become food instead.

In the physician world, sharing data is a competitive advantage, a point of hospital control, and a means to actionable information to perform population health and create analytics that will derive and extract their value from insurers by what they save, not consume. Also in the trillions. Warm, pink, fuzzy, cute, and sustainable.

This is where we come full circle to the data collection and warehouse world and the real question for the data collectors of healthcare: Are you the hogs or the pigs?

There may be better metaphors to wrap this argument around, but pigs are just so darn cute.

If you’re still debating whether to go with a web-based EHR or a server-based EHR, you should know why a growing number of practices are choosing to go with a cloud EMR.

How does a web-based EMR differ from the older technology of a client server-based EHR system?

A cloud EMR is different (and better, in our opinion) due to the following factors:

Your software is always up to date With a web-based EMR, the software is always up to date, usually at no additional charge. No more expensive upgrades causing delays; just open the SaaS-based software and you have the latest version.

Rest easy on HIPAA data requirements Data security is much easier to manage with a web-based system. Cloud EHR vendors can provide much more security for your data than you can internally with office servers. As reported by the Business Insurance site, “Data breaches seem to be everywhere these days except the one place everyone fears—the cloud.” That could be because cloud EMRs offer financial-level security for your data.

Accessibility—work from anywhere One of the things many users love about the cloud is the ability to work from anywhere—whether it’s e-prescribing from a smartphone or checking a patient record from the beach while on vacation. We don’t recommend you work on your vacation, but we understand the realities of medical practice.

Cloud-based EHR systems allow continued functioning during and immediately after disasters Hospitals and physicians discovered the benefits of cloud-based data first after Hurricane Katrina and again after Super Storm Sandy; with a web-based system, you can practice (and bill) from anywhere.

Reduced expense for both software and hardware A cloud-based system is more cost-effective, particularly for small to medium sized practices, since there are no large hardware expenditures and the software expense is a consistent, low subscription rate. You won’t have to plan for large hardware and software expenditures.

Better IT support Damn it, Jim, you’re a doctor—not an IT person. And you will probably not be able to hire IT support of the same caliber as the staff of a web-based EHR vendor. Why not make use of their resources and eliminate your headaches?

You can use a cloud-based EHR on a mobile device such as an iPad or other tablet A survey of physicians by web-based EHR review group Software Advice showed that 39% of physicians want to use their EHR on a tablet such as iPad, and in another survey, a majority of patient respondents indicated that they find use of an EHR on a tablet in the exam room to be “not at all bothersome.”

Satisfaction levels are higher among mobile EHR users A recent survey by tablet-based EHR review group Software Advice found that providers using a mobile EHR expressed twice the satisfaction levels of those using EHRs via non-mobile systems. And as mentioned above, an effective mobile EHR needs to be cloud-based.

It’s particularly important to note that cloud-based systems are nearly always more secure than any system you could set up in your office. For most practices, data security and HIPAA best practices are not their area of expertise—excellent patient care is. But for cloud EMR systems, those areas are key to our success. We are better at it because we must be in order to continue in business. And as mentioned above, the proof is in the lack of data breaches among cloud-based companies.

One proof of the idea that a cloud-based EHR is the best choice is the fact that most EHRs that were originally server-based have since developed cloud-based offerings as well. If server-based technology is state of the art, why are those vendors switching platforms?

Sharing your scoops to your social media accounts is a must to distribute your curated content. Not only will it drive traffic and leads through your content, but it will help show your expertise with your followers.

Integrating your curated content to your website or blog will allow you to increase your website visitors’ engagement, boost SEO and acquire new visitors. By redirecting your social media traffic to your website, Scoop.it will also help you generate more qualified traffic and leads from your curation work.

Distributing your curated content through a newsletter is a great way to nurture and engage your email subscribers will developing your traffic and visibility.
Creating engaging newsletters with your curated content is really easy.